Tag Archives: digital identity

Protecting Privacy While Reopening Economies

The Value of the Pan-Canadian Trust Framework

Co-written by Kaliya Young, IdentityWoman & Joni Brennan, DIACC President

Around the world, people are suffering due to the disruption caused by the COVID-19 pandemic. Some of this suffering is due to the need to move education and work to take place fully online. Many workplaces have moved their workforce to be remote.  However, not all workplaces are able to function remotely. (Examples goods and essential services, pharmacy, travel etc…) Workplaces that are not able to operate remotely have shut down or limited hours and capacity severely.  This puts a massive strain on economies.  

In the past we have talked about Digital Identity as a convenience to make it easier for people to transact with cybersecurity and privacy protection. Now, when we talk about security, the conversation is urgent and focused on life security.  People are asking, “Will I be able to continue to work? Will I be able to put food on the table?”  

Governments and businesses are urgently looking for tools to safely reopen and restart economies. 


In the U.S., large cities are considering proposals that delegate the management of phygital (physical-digital) identity to CLEAR, a U.S. based company, so that cities can “safely reopen” their local economies by requiring people who want to navigate the city to have a CLEAR ID and link it to their health record/COVID status. 

CLEAR offers a service that replaces a physical ID check with a biometric scan of a person’s eyes and fingertips. In some locations, this service allows passengers to move through airport security faster. 

CLEAR is like “login-with Facebook” or “login-with Google” where people are required to get into websites to have a relationship with these private identity providers where CLEAR’s service straddles both the physical and digital worlds. 

Just as Facebook or Google login tracks and surveils you and your behaviours, the CLEAR approach could essentially track and surveil people in the physical world. This approach also has the potential to delegate authority to manage access to public spaces by a single private sector entity. Without an agreed on and adopted framework, this type of approach could have the effect of restricting freedom of movement to be managed by a single private sector entity.  

Why Trust Frameworks Matter

As businesses and governments are looking for tools to safely reopen and restart economies.  Tools for reopening are an important part of the challenge.  Tool development and tool selection in these scenarios must be guided by “rules of the road” that put people and socioeconomic security at the centre of the design. 

Without transparent operational guidance, people’s privacy and personal freedoms may be compromised. By having a set of operational rules, decision makers will have the capacity to make better decisions that will enable the public to trust that the tools being implemented have been designed to respect their best interests. 

The Pan-Canadian Trust Framework represents a set of operational rules that have been developed by public and private sector leaders to enable a diversity of public and private sector organizations to provide services and solutions that could help to restart the economy.  

By having a Pan-Canadian Trust Framework, the playing field could be leveled to enable a diversity of entities to play a role in safely reopening economies with privacy and personal data protections built in by design. 

The Pan-Canadian Trust Framework has been built with privacy and consent to personal information disclosure embedded into all aspects of the design. The Pan-Canadian Trust Framework has been designed to measure the implementation of assurance, security and privacy practices in networks and solutions that are built on various (and often different) technologies. 

For more information about how your organization can adopt or help to shape the Pan-Canadian Trust Framework please visit diacc.ca or contact us at info@diacc.ca.

Making Sense of Digital Wallets

Guidelines for Design

Recent advances in the state of the art of digital identity systems are putting the user back in control of their information and their privacy. An important building block of this advancement is the digital wallet for users. This document proposes what a trusted digital wallet should aim to do. Without it, software developers are left to guess, the marketplace offering will be fragmented, and ultimately will result in delaying the adoption of user-centric digital identity solution.

Download the paper.


The Next Evolution of Levels of Assurance in Canada

Levels of Assurance (LOA) play a foundational role in the world of standards, digital identity, and digital transactions. Put simply, LOA is the degree of confidence in the validity of a claim, process, or authentication. In the sphere of digital identity, it is a necessary model to verify that the person or entity claiming an identity is the entity to which that identity was assigned. 

Most Canadians don’t think too deeply about LOAs, and yet most Canadians interact with these models, unknowingly, at some point in their lives. For example, Canadian experience LOAs when opening a bank account, demonstrating qualifications for a government service or benefit, making an insurance claim, or wiring money to a client or family member. 

Organizations that use LOAs to inform their policies and processes often have dedicated strategies and teams, working out contingencies and approaches to maximize security in Canada and internationally. These teams often face challenges interacting with other service providers, meeting different standards across jurisdictions, and minimizing friction for clients accessing their services.

How the Current LOA Model Works

Imagine two people, Samir and Aiya, are trying to apply for a small business loan. Both women have very strong credentials, a passport, driver’s license and the requisite business records. Samir and her credentials are linked through a knowledge-based authentication (KBA), and are accepted after answering a security question she previously populated about her father’s middle name. Aiko and her credential are linked with an in-person ceremony, as she went to her local bank branch with two pieces of identification and her business records to complete the loan application. Aiya’s scenario offers a stronger LOA and Samir’s a weaker LOA. Despite these differences, Canada’s federal LOAs currently dictate that Samir and Aiya both have the same assurance. 

In Canada and many places around the world, it is common for LOA structures to combine a number of factors into a single score. The result is an obscured view of the risk factors and authentication. This lack of granularity into the LOAs of specific capabilities is a challenge present in the construct of LOA models around the world. The deciding factor regarding acceptance of an identity comes down to Relying Parties (parties who rely on the validity of identities) who determine their own risk profiles. 

In this case, the relying party is the bank. The banker helping Samir and Aiya also benefits from a stronger LOA as they sign off on the business loan. In addition to building a stronger relationship with the client, they are able to manage their portfolio with confidence.

There is widespread agreement the current LOA model in Canada is inadequate. While LOAs serve a purpose, they are not transparent and dynamic enough to address the myriad digital solutions and scenarios of today. Internationally, single LOA schemes are no longer state of the art and today’s requirements necessitate separate evaluation for specific capabilities. In the DIACC community, there is consensus that there must be separate schemes for credentials and identity, at a minimum, in order to be useful in the widest possible range of scenarios and contexts. An improved assurance model should be capable of asserting identity and credentials at different levels.

Envisioning a New Risk-based Model for Assurance

A risk-based model offers a more enduring, user- and industry-friendly path forward that enables existing LOA schemes to participate while building for a more dynamic and scalable digital ecosystem. The notion of leveraging a risk-based model is highly applicable as the application of LOAs  today are best determined by performing a threat or risk analysis. The risk-based model must address the likelihood and impact of something happening, and the appropriate mitigation approach. 

LOA is essential in determining liability and risk; offering a clear understanding how a Subject (customer or citizen) and a Relying Party (company or government service) can validate that they are who they say they are. It is a central component in being able to determine whether a transaction should proceed. 

The risk-based starts by assessing risk first and then the approach drives more value for organizations, as they confront the baseline of their current systems and assess risk realistically. It also helps adopters improve their systems through motivation to  reduce or remove risks through various types of mitigation.

DIACC is on a mission to rapidly deliver a modern, risk-based LOA model that is…

  • Risk-based
  • Directive and illustrative
  • Non-prescriptive in execution
  • Evergreen
  • Deterministic in implementation and assessment
  • Congruent with existing state of the art and best practices
  • Inclusive in support of both the private and public sector
  • Supportive of evolving needs on credentials and bindings

The impact of this evolution is far-reaching, and will ensure that the  Pan-Canadian Trust FrameworkTM is strong and resilient over time. This evolution takes a framework-wide approach to address interdependencies, independencies, and support communication across platforms. This new approach ensures scalability over time as technologies and their uses evolve.

DIACC has engaged a small, representative team to rapidly deliver a new model to support the PCTF, which launched September 15, 2020. The model will benefit from the DIACC’s well-documented peer and public review process. Members can contact info@diacc.ca to contribute. Non-members can get in touch to learn more.

Newly Launched Digital ID Framework to Begin Testing in Canada

Governments and Businesses to Begin Testing Across Canada

TORONTO, September 15, 2020 – The Digital ID & Authentication Council of Canada (“DIACC”) today announced the launch of the Pan-Canadian Trust FrameworkTM (“PCTF”), a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. Its launch marks the shift from the framework’s development into official operation and will begin alpha testing by public and private sector members in Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program  (“Voila Verified”), set to launch next year.

“The pandemic has pushed digital adoption five years into the future. Without the proper infrastructure for digital ID and authentication in place, we’ve seen firsthand how Canadians have been left vulnerable and with limited access to essential services” said Eros Spodotto, Executive Vice-President, Technology Strategy and Business Transformation at TELUS

“Trust and security are the foundations of the digital economy. The key to unlocking a true digital experience comes from having a digital ID ecosystem that extends beyond any one sector.”
– Franklin Garrigues, VP Digital Channels at TD Bank, and DIACC Board Vice-Chair

From open banking to e-health, digital ID is a key enabler in unlocking the next frontier of our digital economy. Banks and telcos fortunately have been able to leverage existing digital ID services to support Canadians. “Digital identity verification has helped countless Canadians receive financial aid during the pandemic,” notes Andre Boysen, Chief Identity Officer at SecureKey, “but it’s not enough. Now, we need to leverage that momentum, and push out a solution for digital ID in all levels of society. The PCTF is that answer.”

“The PCTF launch marks an important milestone in Canada’s digital transformation initiatives,” exclaims Dave Nikolejsin, Board Chair at DIACC, “Canadians have had to deal with identity theft and fraud, high anxiety in accessing services that they were in dire need of while facing social distancing measures, and attempting to go about their lives as normally as possible. Digital ID minimizes all of those pain points, and elevates the livelihoods of Canadians everywhere.” Joni Brennan, President of DIACC, adds, “Our economy has also been heavily impacted by all this, and we know digital identity has the potential to add at least 3 percent of GDP, which is potentially almost $100 billion back into our Canadian economy. This is why we’ve accelerated the launch of the PCTF. The time for digital ID is now.”

“The Digital ID Laboratory of Canada is a proud partner of the DIACC, with a strong community that is ready to support the launch of the PCTF and ensure that together, we can accelerate the adoption of user-centric and interoperable digital ID solutions across the country.”
Pierre Roberge, General Manager of the Digital ID Laboratory of Canada

Alpha testing of the PCTF will be carried out by over 20 Canadian public and private sector DIACC member organizations during the next two quarters with the purpose of operationalizing the framework as fast as possible. Organizations that have volunteered to take part in the alpha test seek to gain strategic and operational insights to become demonstrated leaders in digital identity. 

Learnings taken from the alpha testing will help DIACC identify what is needed to scale up a digital identity infrastructure across Canada, and help Canada secure international digital interoperability and accreditation by working with international and third party partners such as eIDAS and Kantara Initiative IAF

A Digital ID Trademark You Can Trust

The alpha testing will also inform the launch of the DIACC PCTF Voila Verified Trustmark Assurance Program (“Voila Verified”). The program is set to launch in fall 2021, and will issue a PCTF Voila Verified Trustmark to organizations who demonstrate compliance with PCTF components. Voila Verified will enable solutions and service providers to leverage the trustmark to elevate their market leadership and allow them to collaborate securely with assurance, providing their customers with the digital-first experience that they demand. 

“We’re pleased to work with the DIACC to help recognize the Voila Verified Program on an international scale. It is through secure global credentials that we can transform the state of digital identity, and progress the digital economy worldwide.”
– Colin Wallis, Executive Director of Kantara Initiative

Multijurisdictional Collaboration: Enabling Trusted Digital Inclusion for All

The launch of the PCTF comes at a time when having a strong digital economy is no longer a ‘nice-to have’; rather, it is imperative for Canadians. More than 70 per cent of Canadians want to see the government and private sector collaborate on a joint identity framework in Canada. “We’ve seen the benefits and advantages of digital ID for people in British Columbia during this pandemic,”, said CJ Ritchie, Associate Deputy Minister and Government Chief Information Officer for the Province of British Columbia, “From government to healthcare, commerce, and financial services, the entire provincial economy is being impacted by COVID-19. Having a robust digital identity/trust ecosystem allows all Canadians to do more online, in a safer, more secure and confident way.”

The PCTF was developed collaboratively between public and private sector stakeholders, with contributions from a broad array of individuals and organizations around the world. Over 3,400 public comments were provided over four years that helped progress the framework to its launch today. 

“The framework released today was created through an incredible collaboration involving hundreds of people who worked to contribute, comment, and lend their ideas,” noted Peter Watkins, Program Executive for the Pan-Canadian Digital ID at the Institute for Citizen-Centred Service, “we’re committed to continuing our multi-jurisdictional collaboration as we move into the next stages for this important work.”

About the PCTF & Voila Verified Program

Details on the PCTF may be found in this backgrounder.
Details on the Voila Verified Program may be found in this backgrounder.

A Summary: Making Sense of Identity Networks

Who do identity networks serve, what functions do they support, and what are some key questions to consider, when selecting a network? This infographic distills the key concepts laid out in the DIACC white paper Making Sense of Identity Networks, based on research performed by DIACC member Consult Hyperion and developed in consultation with DIACC members.

Download the infographic: Making Sense of Identity Networks Infographic 

Download the paper: Making Sense of Identity Networks